SA Business faces IT licensing risk

Executive Management and Non Executive Directors can no longer treat Information Technology (IT) as a black box, trusting that their CIO, outsource service providers, software vendors or IT manager’s are doing the right thing when it comes to IT Corporate Governance.

The KING III recommendations specifically call for an independent assessment of the adequacy and efficacy of IT Corporate Governance framework. As such, King III recommendations and requirements under the new Companies Act and Public Management Finance Act (PMFA) have raised the bar on IT governance responsibility and widened the scope beyond listed entities only.

“Organisations need to wake up to the business risks that they face as a result of their IT infrastructure” says, Peter Cook, Specialist Solutions, Alexander Forbes Risk Services.

With hundreds of employees downloading or sharing applications, spreadsheets, charts and images that require specific applications to download “the scope for the illegal dissemination and unauthorised use of proprietary and licensed technology is endless” says Cook.

The parlous legal status of IT licensing and usage in most of South Africa’s larger companies has lead Alexander Forbes and SCANTRACK, an independent IT asset management business, to establish a joint IT assessment and management consultancy.

Given the current dearth of independent specialist skills in this area, “the alliance between our two organisations and the combination of our respective skills is helping us meet the growing demand for independent review services in the IT risk area” says Cook

SCANTRACK has recently completed software compliance reviews for over 300 organisations in South Africa. Findings from these reviews confirm existing Gartner statistics that 35% of software utilised within organisations are under licensed.  This costs the general economy R1.5 billion each year and the software industry R3.1 billion in lost income.

The size and materiality of this under licensed position has come as a great surprise to top executives, many of whom have only recently spent a great deal of effort and money introducing corporate governance policies and processes.

And the extent of this unrecognised liability could be much higher if the providers of the software were to become more aggressive in imposing penalty clauses.  Penalties in the contracts can run up to R5 000 fines for each illegal copy used and / or a five year maximum prison sentence. A second criminal finding sees the fine rise to R10 000 per copy and a five year maximum sentence.

Cook believes that “most of the under licensed positions were not intentionally created” but have instead arisen due to:

1.      Complex Licence Structures – most commercial software is licensed via a complex structure of volume agreements that provide entitlement to use a suite of programs for a period. This often leads to a ‘mis-licensing’ position where what is deployed does not match the entitlement profile purchased.

2.      The Deploy Now Pay Later Philosophy – generally leads to a position where the goods have been delivered and are in use before the commercial considerations have been agreed and formalised.

3.      Overwhelming Data Volumes – the volume of software titles evidenced on machines in any fairly large sized network can run into many thousands. Since it is often fragmented and incomplete, licence risk assessment is difficult and hence often avoided.

Cook also finds that often after a merger the new entity is often paying twice for much of its IT licensing “as each of the original entities continue in their previous licensing agreements without any attempt to consolidate licenses and payments.”

While there are various steps a company can follow the first step is a thorough overall assessment of the current IT Corporate Governance Framework. The objective here is to identify and highlight significant areas of risk to ensure that the business is not carrying any unrecognised liability – providing “an independent, holistic view of an organisation’s IT Governance framework since just knowing what risks you are running can help you manage them” says Cook.

“This assessment will provide executives and risk committees with the independent risk assessment recommended by KING III while providing some high level quantification of the various IT risks facing the company” says Cook.

This will enable the organisation to focus its efforts on correcting past errors and begin building an effective IT Corporate Governance Framework going forward. “It will also empower them to be in a far stronger negotiating position with software vendors to negotiate better licensing platforms going forward” adds Cook.

This service can also be extended to provide ongoing licence and IT corporate governance monitoring services to assist companies stay on the right side of the law in this complex and potentially very risky area.